Effective enterprise patch management policies can greatly improve security posture and prevent cyberattacks; however, many enterprise IT staff are confused about patch management.

A new survey conducted by Tripwire suggests that InfoSec staff often confuse patch management with vulnerability mitigation. The complexity of enterprise patch management also leaves many security professionals unsure about when patches should be applied and the impact of applying patches.

The Complexity of Enterprise Patch Management Causes Problems for Many IT Security Professionals

The Tripwire survey was conducted on 480 IT security professionals and asked questions about enterprise patch management policies at their organizations.

The results show that IT staff are struggling to ensure that all systems are maintained in a fully patched state. 67% of respondents said that at least some of the time, they are unsure about which patches need to be applied to certain systems.

The complexity of enterprise patch management is a problem. For instance, a patch may be issued to address Adobe Flash vulnerabilities, but it comes bundled with Google Chrome updates. It addresses Flash vulnerabilities in Chrome, where Adobe Flash is embedded, but does not address standalone installations or Flash vulnerabilities in other browsers. 86% of respondents said that issues such as this mean they find it difficult to understand the impact of a patch. It is all too easy for security vulnerabilities to remain after a patch has been applied.

Patches are released that address multiple security vulnerabilities, but they do not address those vulnerabilities across all systems. The application of a patch will not necessarily remediate a security vulnerability entirely. According to Tripwire, ““The relationship between patches and vulnerabilities is far more complex than most people think.”

There is also considerable confusion between patches and software upgrades. When it comes to addressing security vulnerabilities, a patch may address some, an upgrade may address others, and there is often some overlap. Because of this, organizations struggle to ensure that all software is properly patched and fully up to date.

The survey revealed that half of enterprises do not know the difference between applying patches and remediating security vulnerabilities. 7% of respondents didn’t realize there was a difference between applying a patch and resolving a security vulnerability, while 43% said their staff had trouble understanding the difference.

Patches are now being issued regularly and many enterprises find it difficult to cope with the sheer number of patches being released. Before the survey was conducted, Tripwire expected only a small number of organizations to be experiencing “patch fatigue.” However, it is clear from the results of the survey that this is a widespread problem. 50% of respondents said that patches are now being released at an unmanageable rate.

Enterprise patch management may be one of the most basic security measures, but effective patch management is anything but simple.